What is PCI Compliance?
PCI compliance is a term that has been in the news a lot over the past couple years.
But what is it?
‘PCI Compliance’ or ‘PCI Security Compliance’ is Payment Card Industry Security Compliance. It addresses any business that accepts credit card or debit card for payment, and is a standard that has emerged as the ‘bench test’ for whether or not your retail operations are a security risk for credit card information theft.
The rising incidence of stolen cardholder account data is a major concern for all businesses that accept payments by credit or debit card. As a result of these thefts, merchants and financial institutions suffer fraud losses and unanticipated operational expenses, and consumers are inconvenienced significantly.
What Does It Mean To Me?
If you collect or store credit card information, and if it is compromised, you may lose the ability to accept credit cards at your business, or you may face higher processing rates. In the U.S., you may also be libel, not only for the credit card information compromised, but for non-compliance for new Security Awareness Training guidelines if your employees have had little or no security awareness training. If you store credit or debit card information, no matter what country you are in, you are required to follow PA-DSS Compliant Applications (Payment Application – Data Security Standards)
To protect your business, your customers, and the integrity of the payment system, each of the card companies has in place a set of requirements governing the safekeeping of account information.
-
Install and maintain firewall to protect cardholder data.
-
Do not use vendor-supplied default system passwords.
-
Protect stored cardholder data.
-
Encrypt transmission of cardholder data across network .
-
Use and regularly update anti-virus software.
-
Develop and maintain secure systems and applications.
-
Regularly test security systems and processes.
-
Maintain a policy that addresses information security.
There are 4 different levels of PCI Compliance, depending on the number of eCommerce and regular transactions your business does annually.
To check if you are following the compliance standards, visit the PCI Security Standards Council – the organization that manages these standards. This is an excellent website that also allows you to perform a self-assessment.
So that covers the legalities of the electronic safekeeping of your information.
But..
Being PCI Compliant Does Not Ensure Safety
To rely solely on the PCI DSS checklists to secure cardholder data is similar to a pilot relying only on the pre-flight checklist before takeoff, then colliding with another plane during takeoff.
In reality, the goal of effective security controls is to prevent security breaches from occurring, and when they do, allow quick detection and recovery.
This requires not only following a checklist, but understanding the organization’s compliance and security objectives, understanding what the top risks to achieving those objective are, having adequate situational awareness to identify where you need controls to mitigate those risks, and then implement and monitoring the correct production controls.
The Human Factor
The U.S. Department of Health and Services has stated that bad or no security awareness training is a main cause of compliance failures. This is true not only for health care, but all industries such as banking, finance, manufacturing, and technology.
Your employees are your company’s biggest asset. They can also be your company’s weakest link.
Trend Micro reports that 91% of successful data breaches started with a spear-phishing attack.
Make sure your employees are up-to-date in their security awareness training.
Don’t Know What to Look For In Suspicious Emails: http://tbyd.ca/email-red-flags/
For all the latest virus/malware alerts go to: http://tbyd.ca/category/alerts/